satellite-provider

mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 13:41:15 +00:00

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	490902c80a	[AZ-810] Strict validation for POST /api/satellite/upload metadata Adds the per-endpoint child of AZ-795 ("Strict Input Validation Epic") for the UAV upload multipart endpoint. Three new validators land under SatelliteProvider.Api/Validators/: - UavTileBatchMetadataPayloadValidator: items NotNull + NotEmpty + count <= MaxBatchSize + RuleForEach dispatching to the per-item validator. - UavTileMetadataValidator: lat / lon / tileZoom range, tileSizeMeters > 0, capturedAt within [now - MaxAgeDays, now + future-skew]; uses an injectable TimeProvider so unit tests can drive a fixed clock. - UavUploadValidationFilter: IEndpointFilter that reads the multipart `metadata` form field, deserializes it with the strict global JsonSerializerOptions (so UnmappedMemberHandling.Disallow + [JsonRequired] from AZ-795 are honored), runs the FluentValidation chain, and enforces the cross-field `items.Count == files.Count` envelope rule. FluentValidation errors are prefixed with `metadata.` so wire keys look like `errors["metadata.items[0].latitude"]`. [JsonRequired] is added to every non-optional axis on UavTileMetadata and UavTileBatchMetadataPayload; FlightId stays nullable per AZ-503 anonymous-flight semantics. Coverage: 13 unit tests + 16 integration tests + 1 curl probe script exercise the happy path and every failure mode. All 9 ACs covered; no regression in AZ-488 UavUploadTests payloads (traced against the new rules). Documentation: uav-tile-upload.md bumped v1.1.0 -> v1.2.0 with the new validation rules section + 400-shape examples + changelog entry. api_program.md updated to describe the three new validators + filter + the AddTransient<UavUploadValidationFilter>() DI registration. Reports: batch_04_cycle8_report.md + reviews/batch_04_cycle8_review.md record the PASS_WITH_WARNINGS verdict (2 Low DRY-in-tests findings: FixedTimeProvider duplication crossed the cycle-2 "promote to shared" threshold; PostBatch helper duplicated between two integration suites). Both deferred to follow-up PBIs. Task spec archived: _docs/02_tasks/todo/AZ-810... -> done/. Jira: AZ-810 transitioned In Progress -> In Testing. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-23 13:32:19 +03:00
Oleksandr Bezdieniezhnykh	5e056b2334	[AZ-809] Strict validation for POST /api/satellite/route Third concrete child of AZ-795 (cycle 8 batch 3). FluentValidation + [JsonRequired] + UnmappedMemberHandling.Disallow combine to reject every malformed payload at the API boundary with RFC 7807 ValidationProblemDetails. Validators (SatelliteProvider.Api/Validators/, all new) - CreateRouteRequestValidator: id non-empty, name/description length, regionSizeMeters/zoomLevel ranges, points count [2, 500], cross-field createTilesZip => requestMaps. Chains RoutePointValidator (per-point) and GeofencePolygonValidator (per-polygon, guarded by When(Geofences != null)). OverridePropertyName("geofences.polygons") on the geofences chain so FluentValidation's default leaf-only key policy doesn't drop the parent path on deep expressions like req.Geofences!.Polygons. - RoutePointValidator: lat/lon ranges; OverridePropertyName("lat"/"lon") chained AFTER InclusiveBetween (the extension is defined on IRuleBuilderOptions<T, TProperty>, so the generic type is only inferable after the first concrete rule) so error keys match the wire format (`points[i].lat`) rather than the C# property name (`points[i].latitude`). - GeofencePolygonValidator: per-corner range checks via private nested GeoCornerValidator; cross-field NW.Lat > SE.Lat and NW.Lon < SE.Lon invariants emit at errors["geofences.polygons[i].northWest"]. DTOs (SatelliteProvider.Common/DTO/, [JsonRequired] additions only) - CreateRouteRequest: id, name, regionSizeMeters, zoomLevel, points, requestMaps, createTilesZip - RoutePoint: Latitude, Longitude - GeofencePolygon: NorthWest, SouthEast; Geofences: Polygons - GeoPoint: Lat, Lon Tests - Unit: 26 methods total — 16 in CreateRouteRequestValidatorTests, 6 in GeofencePolygonValidatorTests, 4 in RoutePointValidatorTests. Each RuleFor/RuleForEach chain has at least one positive + one negative case. - Integration: CreateRouteValidationTests.cs — 16 methods (happy + 15 failure modes) wired into smoke + full suites. Covers empty body, missing/zero id, empty name, out-of-range regionSizeMeters/zoomLevel, points count < 2, per-point lat/lon out-of-range, geofence invariants, missing requestMaps, cross-field createTilesZip, unknown root field, nested type mismatch. - Manual probe: scripts/probe_route_validation.sh curl-exercises every failure mode end-to-end + happy path. Docs - New contract _docs/02_document/contracts/api/route-creation.md v1.0.0 with nested DTO chain, invariants, per-field test cases table, and advisories on the legacy service-layer RouteValidator + the input/output RoutePoint vs RoutePointDto naming asymmetry. - system-flows.md F4 sequence diagram extended with the validation-filter branch; preconditions + error scenarios reference the new contract. - modules/api_program.md: CreateRoute handler section added; Api/Validators bumped to AZ-808/AZ-809/AZ-811. - modules/common_dtos.md: DTO descriptions updated with [JsonRequired] annotations and constraint summaries. - tests/blackbox-tests.md BT-06/BT-N03/BT-N04/BT-N05 align with the new wire format and named error keys. - tests/security-tests.md SEC-04 references GlobalExceptionHandler's JsonException branch + AZ-353 correlationId. - _docs/03_implementation/batch_03_cycle8_report.md + reviews/batch_03_cycle8_review.md (PASS_WITH_NOTES — F1 Low: OverridePropertyName documented inline, F2 + F3 Info: pre-existing advisories for follow-up). Smoke green (mode=smoke, exit 0). AZ-809 transitioned to In Testing on Jira. Task file moved to _docs/02_tasks/done/. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 17:49:48 +03:00
Oleksandr Bezdieniezhnykh	34ee1e0b83	[AZ-808] [AZ-811] Strict validation on region POST + lat/lon GET AZ-808: FluentValidation for POST /api/satellite/request - RegionRequestValidator: id non-empty, lat/lon/sizeMeters/zoomLevel ranges - RequestRegionRequest: [JsonRequired] on every property, no implicit defaults - Wired via .WithValidation<RequestRegionRequest>() in MapPost chain - Unit + integration tests + curl probe script - New contract: contracts/api/region-request.md v1.0.0 AZ-811: FluentValidation + envelope filter for GET /api/satellite/tiles/latlon - GetTileByLatLonQuery: nullable record (double?/int?) so the minimal-API binder never short-circuits with BadHttpRequestException before filters - GetTileByLatLonQueryValidator: Cascade(Stop) + NotNull + InclusiveBetween per param; missing surfaces as `\`<name>\` is required.` - RejectUnknownQueryParamsEndpointFilter: reusable IEndpointFilter that rejects any query key outside the allowed set with errors[<key>] map; catches legacy `?Latitude=` typos and hostile probes (`?debug=1&admin=1`) - Handler: [AsParameters] GetTileByLatLonQuery + .Value deref post-validator - Unit (validator + filter) + integration tests + curl probe script - New contract: contracts/api/tile-latlon.md v1.0.0 Shared hygiene - Promote AssertErrorsContainsMention from per-test-file private helpers to ProblemDetailsAssertions (closes batch-1 Low-severity DRY warning) - Sync Swagger param descriptions, README, blackbox/security/perf scripts, uuidv5 doc with the new lat/lon/zoom query-param names Docs - system-flows.md F1/F2 reference the new contracts + validation layers - modules/api_program.md adds Api/Validators + Api/DTOs sections - _autodev_state.md: batch 2 of 4 complete; next batch = AZ-809 All smoke tests green (mode=smoke, exit 0). AZ-808 + AZ-811 transitioned to In Testing on Jira. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 16:29:41 +03:00
Oleksandr Bezdieniezhnykh	865dfdb3b9	[AZ-794] [AZ-795] [AZ-796] Strict input validation + z/x/y rename ci/woodpecker/push/01-test Pipeline was successful Details ci/woodpecker/push/02-build-push Pipeline was successful Details AZ-794: rename inventory wire fields tileZoom/tileX/tileY -> z/x/y to match the slippy-map URL convention. Contract bumped to v2.0.0. AZ-795: shared validation infrastructure -- FluentValidation + ValidationEndpointFilter + GlobalValidatorConfig (camelCase paths). GlobalExceptionHandler now converts JsonException (UnmappedMember + JsonRequired) into RFC 7807 ValidationProblemDetails. JSON layer hardened with UnmappedMemberHandling.Disallow + camelCase naming policy. New error-shape.md contract. AZ-796: InventoryRequestValidator covers 9 rules (XOR tiles vs locationHashes, cap 1000, z 0..22, x/y in slippy bounds, hash length/charset). 16 unit tests + 16 integration tests + a manual curl probe script. Adjacent fixes uncovered by the new strict layer: - IdempotentPostTests RoutePoint payload corrected to lat/lon (the DTO has used JsonPropertyName for ages; previously silently ignored under PascalCase fallback). - TileInventoryTests slippy x/y reduced to fit z=18 bounds. - docker-compose.yml host port for Postgres moved 5432 -> 5433 to avoid sibling-project conflict; appsettings.Development + README + AGENTS + architecture + containerization docs aligned. New coderule (suite + repo): API consumer-facing OpenAPI descriptions must not contain task IDs, contract filenames, or version-bump history -- internal change tracking belongs in commits/contract docs/changelogs. Existing offending descriptions in Program.cs cleaned up. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 10:02:02 +03:00
Oleksandr Bezdieniezhnykh	c74a2339aa	[AZ-505] AC-5 fix: enable TLS for HTTP/2 via ALPN ci/woodpecker/push/01-test Pipeline was successful Details ci/woodpecker/push/02-build-push Pipeline was successful Details Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled ... TLS is not enabled"), so AC-5's multiplexed-GET test failed with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the fix switches the dev listener to TLS on https://+:8080: - scripts/run-tests.sh generates a self-signed dev cert idempotently (./certs/api.pfx + api.crt) via openssl in an alpine container; certs/ is gitignored. - docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080 with Kestrel__Certificates__Default__Path bound to the .pfx. - docker-compose.tests.yml mounts api.crt into the integration-tests container's CA store and runs update-ca-certificates so HttpClient trusts the cert transparently; default API_URL is now https://api:8080. - Drop the obsolete Http2UnencryptedSupport AppContext switch from Http2MultiplexingTests; ALPN over TLS handles negotiation. Test-data fixes caught on the post-TLS rerun (independent of the TLS switch but surfaced together): - Http2MultiplexingTests: switch slippy coords from (154321, 95812) -- which Google Maps returns 404 for -- to (158485, 91707), the slippy projection of (47.461747, 37.647063) already exercised by JwtIntegrationTests. - TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to Unspecified at the binding site for raw Npgsql seed paths writing into tiles.captured_at / created_at / updated_at (TIMESTAMP without tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns; production goes through Dapper and never hits this code path. - MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId: accept either idx_tiles_location_hash (migration 014) or its AZ-505 successor tiles_leaflet_path (migration 015) -- both have location_hash as the leading column, which is the AC-9 intent. Docs updated to reflect the TLS+ALPN path: tile-inventory.md Non-Goals, modules/api_program.md, module-layout.md, the AZ-505 task spec's Risk 3, and the cycle 6 implementation + completeness reports. The full integration test suite passes (mode=full, exit 0). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 22:19:26 +03:00
Oleksandr Bezdieniezhnykh	909f69cb3a	[AZ-505] Tile inventory endpoint + HTTP/2 + Leaflet covering index Production code: - POST /api/satellite/tiles/inventory (XOR body, 5000-cap, most-recent-per-location_hash select, present/absent shaping). - Kestrel HttpProtocols.Http1AndHttp2 on every listener (AC-5). - Migration 015 creates tiles_leaflet_path covering index over (location_hash, captured_at DESC, updated_at DESC, id DESC) INCLUDE (file_path, source); drops superseded idx_tiles_location_hash. - TileRepository.GetByTileCoordinatesAsync rewired to filter by location_hash (Index Only Scan via tiles_leaflet_path). - TileRepository.GetTilesByLocationHashesAsync added with Npgsql- direct ANY($1::uuid[]) binding (Dapper IEnumerable expansion is incompatible with the array form). - Uuidv5.LocationHashForTile centralises the UUIDv5(TileNamespace, "{z}/{x}/{y}") formula — single source of truth for the cross-repo invariant (gps-denied-onboard parity). Contracts: - New: contracts/api/tile-inventory.md v1.0.0. - Bumped: contracts/data-access/tile-storage.md to v2.0.0 (joint ownership by AZ-503-foundation + AZ-505: schema + covering index + GetByTileCoordinatesAsync rewrite). Tests: - TileInventoryTests covers AC-1, AC-2 (DB-level), AC-4, AC-6. - Http2MultiplexingTests covers AC-5 (20 concurrent multiplexed GETs over h2c via SocketsHttpHandler + AppContext Http2Unencrypted switch). - LeafletPathIndexOnlyTests covers AC-3 (EXPLAIN (ANALYZE, BUFFERS) asserts Index Only Scan over tiles_leaflet_path with heap_blocks=0). Docs: - architecture.md, system-flows.md, data_model.md, module-layout.md, glossary.md, modules/api_program.md, modules/dataaccess_tile_repository.md, components/02_data_access/description.md all updated to reference the v2.0.0 tile-storage contract + new tile-inventory contract + AC-7. Reports: - batch_01_cycle6_report.md, batch_01_cycle6_review.md, implementation_completeness_cycle6_report.md (PASS), implementation_report_tile_inventory_cycle6.md. Task spec moved todo/ -> done/. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 21:16:37 +03:00
Oleksandr Bezdieniezhnykh	61612044fb	[AZ-503] [AZ-504] Cycle 5 Steps 11-15 sync Wrap up cycle 5 verification + documentation: - Steps 10/11 wrap-up reports (implementation_completeness + implementation_report) for the AZ-503-foundation + AZ-504 batch. - Step 12 test-spec sync: AZ-503-foundation/AZ-504 ACs appended; AZ-505 deferred ACs recorded. - Step 13 update-docs: architecture, data-model, glossary, module- layout, uav-tile-upload contract (v1.1.0), DataAccess + Services + Tests module docs synced; new common_uuidv5.md module doc. - Step 14 security audit: PASS_WITH_WARNINGS; 0 new Critical/High; 2 new Low informational (F1 flightId provenance, F2 pgcrypto deploy gap). - Step 15 performance test: PASS_WITH_INFRA_WARNINGS; PT-08 passed twice (AZ-504 fix verified); PT-01/02 failed due to recurring local Docker/colima DNS cold-start (not an app regression). Cycle-3 perf-harness leftover stays OPEN with replay #5 documented. - Autodev state moved to Step 16 (Deploy). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 18:01:27 +03:00
Oleksandr Bezdieniezhnykh	1802d32107	[AZ-488] UAV tile batch upload + 5-rule quality gate Replaces the 501 stub at POST /api/satellite/upload with a multipart batch endpoint that ingests UAV-captured tiles, runs each item through a 5-rule quality gate, and persists accepted tiles via the AZ-484 multi-source storage path with source='uav'. Quality gate (in fixed order, first failure wins): JPEG format (content-type + magic), size band 5 KiB-5 MiB, exact 256x256 dimensions, captured-at age (no future >30 s skew, no older than 7 days), luminance variance on 32x32 downsample. Closed reject-reason enumeration in v1.0.0 contract. Authorization: custom PermissionsRequirement / PermissionsAuthorization Handler that reads the JWT `permissions` claim (tolerates both repeated-string and JSON-array shapes). Endpoint protected by RequiresGpsPermission policy; 401 without token, 403 without GPS perm. Persistence: file-first to ./tiles/uav/{z}/{x}/{y}.jpg, then ITileRepository.InsertAsync UPSERT (per-source UPSERT contract from AZ-484). Per-item failures reported in response without aborting the batch. Kestrel MaxRequestBodySize and FormOptions limits set to MaxBatchSize x MaxBytes (default 100 x 5 MiB = 500 MiB). New frozen contract: _docs/02_document/contracts/api/uav-tile-upload.md v1.0.0. PT-08 NFR added to performance-tests.md as Deferred (harness work tracked in PT-07 leftover, per AZ-488 § Risk 4). Tests: 11 quality-gate unit tests, 5 handler unit tests, 3 file-path unit tests, 12 permission-handler unit tests, 7 integration tests (AC-1..AC-6, AC-8). All 253 unit tests + smoke integration suite green. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 23:50:49 +03:00

8 Commits